Fraud detection techniques for wireless network operators

ABSTRACT

A system and method are provided by which a network operator is able to detect fraudulent use of a subscriber&#39;s terminal, regardless of whether or not the subscriber is aware of the fraudulent use of her terminal. Detecting unauthorized terminal use in a wireless network includes recording a history of terminal location and registration patterns, analyzing the recorded history of location and registration patterns of the terminal, monitoring current location and registration patterns of the terminal, and requesting clarification when a deviation between said statistical analysis of the location and registration patterns of said terminal and said current location and registration patterns of said terminal is detected.

BACKGROUND OF THE INVENTION

[0001] This present invention relates to wireless networks. More particularly, the invention relates to detecting fraud in the use of wireless network services.

[0002] As the use of mobile wireless terminals in wireless networks increases, a serious challenge confronting wireless network service providers is reducing, and even eliminating, fraudulent access of intruders and imposters to wireless network services as well as their unauthorized use of the wireless network services. Fraudulent access to network services may occur as a result of theft and subsequent illegal use of one of the following: i) a mobile wireless terminal (which will be referred to as a “terminal” henceforth) that belongs to an authorized subscriber of their respective wireless network services, ii) a subscriber's user identification module (UIM), which may be a detachable security device without which a terminal may not be activated or connected to a network, or iii) a subscriber's security association (SA), which is an index to the abstraction of the details of the subscriber security scheme that may be placed in packets transferring a subscriber's data across the network. Such fraudulent access to network services may result in the loss of significant revenue for wireless network service providers as well as financial loss and personal inconvenience for individual users who are the victims of such fraud.

[0003] Currently, a subscriber who no longer has her terminal or UIM in her possession, as a result of, for example, theft, accident or even carelessness, may simply report the loss of the terminal or UIM to the wireless network service provider to which she subscribes, and then wireless network service provider may revoke or even terminate terminal access to the wireless network or inhibit registration or connection to the wireless network by the UIM to avoid inadvertent or fraudulent use of the wireless network services by someone other than the subscriber to the wireless network or appropriate user of the terminal. However, since the subscriber may be otherwise preoccupied, or even in view of the increasingly reduced size of terminals and the detachable nature of UIMs, the absence of a terminal or UIM from a subscriber's possession may not be noticed or detected until after a significant amount of fraudulent or otherwise unauthorized use of the terminal or UIM by an unauthorized user has occurred. Moreover, a subscriber may not be aware of the theft of her SA with the network through an intruder's electronic eavesdropping on the wireless channel. In such cases, the subscriber to the wireless network may be unaware that her terminal or UIM or SA has been used for fraudulent or otherwise inappropriate access to the wireless network services until she receives an invoice from the wireless network service provider that includes a detailed record of access to the wireless network services by her terminal or UIM, which may result in significant charges.

[0004] Thus, there is a need for a system and technique that protect wireless network service providers from the financial loss that result from the fraudulent or otherwise unauthorized access to and use of wireless network services, as well as protecting the subscribers of the mobile wireless network services from the financial loss and personal inconvenience that further result from such fraudulent or otherwise unauthorized use thereof.

SUMMARY OF THE INVENTION

[0005] The present invention provides a system by which a wireless network service provider, including the network operator, is able to detect fraudulent use of a mobile wireless terminal, a subscriber user's identification module (UIM) or a subscriber user's security association (SA) for accessing and using the wireless network services, regardless of whether or not the authorized subscriber is aware of such fraudulent use of her mobile wireless terminal, UIM or SA.

[0006] According to an aspect of the present invention, detecting unauthorized access to and unauthorized use of services in a wireless network includes recording a history of terminal location within the wireless network and dynamic monitoring of the terminal's registration patterns, analyzing the recorded history of location of the terminal within the wireless network, monitoring current location and registration patterns of the terminal within the wireless network, and requesting clarification when a deviation between said statistical analysis of the location and registration pattern of the terminal within the wireless network and the current location and registration pattern of said terminal within the wireless network is detected. The invention may be implemented in databases as well as control and transport entities of a network, either singularly or in combination with each other or further network entities.

BRIEF DESCRIPTION OF THE DRAWINGS

[0007] The scope of the present invention will be apparent from the following detailed description, when taken in conjunction with the accompanying drawings. The detailed description of example embodiments of the invention is provided as illustrations only, since changes and modifications within the spirit and scope of the invention will become apparent to those skilled in the art from this detailed description, in which:

[0008]FIG. 1 shows an example of a wireless network in which the present invention may be utilized.

[0009]FIG. 2 is a flowchart showing an example of a method according to the present invention.

DETAILED DESCRIPTION

[0010] In the following detailed description, example embodiments and values may be given, although the present invention is not limited thereto. Further, while example embodiments of the present invention will be described in conjunction with a method for detecting fraud in wireless networks as an example, practice of the present invention is not limited thereto.

[0011]FIG. 1 shows an example of a wireless network in which the present invention may be utilized. The example wireless network of FIG. 1 may include a plurality of cells 2 a, 2 b and 2 c that may provide a mobile terminal (hereinafter “terminal”) that belongs to a subscriber of services provided by the wireless network service provider with access to the network infrastructure, which may include, but is not limited to, an Internet Protocol (IP) infrastructure. Each of base stations BS1, BS2 and BS3 may serve as a transmitting and receiving station for terminals in the respective cells 2 a, 2 b and 2 c. The terminals may include, but are not limited to, telephones, pagers, laptop computers and other wireless transmitting and receiving systems. Therefore, based upon the services offered by the respective network service providers, the respective base stations BS1, BS2 and BS3 may or may not serve as an IP router, that is, the respective base stations may or may not have IP routing and processing capabilities.

[0012] Access gateways AG1, AG2 and AG3, which may be provided for the respective cells 2 a, 2 b and 2 c, are edge IP routing and control entities that connect one or more of the base stations BS1, BS2 and BS3 to the network 1. However, beyond the example network of the present application, it is noted that an access gateway may actually connect several base stations to a network, and further, in no way is the present invention limited to a network having only three cells or even a one-to-one ratio of base stations to cells. Authentication, authorization and accounting (AAA) entity 6 is a network operator entity for network 1 that receives, processes and accepts or denies registration requests for the terminal. Thus, the AAA entity 6 is able to dynamically monitor the registration patterns of the terminals.

[0013] The network 1 may further include geographic location manager (GLM) 3 that is a control/management entity for network 1. GLM 3 may receive and store information pertaining to the geographic location of active or registered terminals. Such information pertaining to the geographic location of active or registered terminals may be gathered from satellite positioning systems including, but not limited to, the Global Positioning System (GPS), which is well known in the art of communications. For the present description, reference will be made to GPS, although the present invention is not limited to use of only GPS.

[0014] The GLM 3 may gather information regarding the geographic location of a terminal 4 in the network 1 to which the terminal is registered, and, based on the gathered information, the GLM may compute a probability density function, which is a normalized histogram, of the exact location of the active subscriber terminal 4. The histogram may be refined with each additional geographic location update of the subscriber terminal 4, which may occur, for example, every time the subscriber terminal 4 re-registers with the AAA 6 of network 1 as the subscriber terminal 4 moves from one cell to another, from cell 2 a to 2 b in FIG. 1, or at predetermined time intervals. The GLM 3 may provide normalized histograms regarding the geographic location of subscriber terminal 4 across network 1 to network control entities of the operator, which may include, but is not limited to, AAA 6 and the transport entities of the respective cells, which include, but are not limited to, AG1-AG3.

[0015] Explanation of an example embodiment of invention will now be further explained in reference to the flow chart of FIG. 2. The example embodiment further refers to FIG. 1 in which a registered terminal, which is subscribed to a particular network, moves among cells 2 a through 2 c in the network 1, although the present invention and application thereof is in no way limited thereto. In addition, the example embodiment of the invention may be implemented by a program run by the network entities described herein.

[0016] After subscription to the services offered by the network services provider associated with network 1, as terminal 4 moves from cell 2 a to 2 b, for example, terminal 4 may re-register its location with the network operator of the network 1 in order to maintain a connection to the network 1. GLM 3 may gather information from a positioning system to monitor all movements and corresponding locations of the terminal 4 within the network 1 and may further maintain such tracking information in a GLM database, as in step 20. With each recorded location of the terminal 4 within the network 1, or at predetermined time intervals, GLM 3 may update a normalized histogram as in step 22, which includes a probability distribution, of the exact location of the terminal 4. GLM 3 continues to monitor movements and corresponding locations of the terminal 4 in network 1, as in step 22, and with each recorded location of the terminal 4 within the network 1, or at predetermined time intervals, GLM 3 may update the histogram for terminal 4 locations. The AAA entity 6, or any other designated operator entity, may monitor the locations and registration patterns of terminal 4 by retrieving the exact location of terminal 4 as well as the probability distribution of locations of terminal 4 from GLM 3 upon receiving a registration request from terminal 4, as in step 24.

[0017] Thus, a normalized histogram for the behavior of terminal 4 within the network 1 may be established. The histograms may include information regarding the geographic locations and registration patterns of the terminal 4 in the network 1. When a deviation from any of the patterns provided in the histograms for terminal 4 has been detected, as in step 26, the network operator entities, including AAA 6 and AG1-AG3, may be alerted that terminal 4, or its associated UIM or SA, may not be currently used by the subscriber thereof. Then the network operator entity, including AAA 6 or any other entities, which are provided with the updated histogram for terminal 4, may prompt a clarification protocol to determine whether terminal 4 is being used fraudulently, as in step 28.

[0018] A deviation from an established pattern of use for terminal 4 may result from, as examples only, theft, accident or loss, which results in terminal 4, or its associated UIM or SA, being used by someone other than the authorized subscriber to the wireless network. Further, a deviation from an established pattern of use for terminal 4 may result from a clone or intruder illegally impersonating the terminal 4 or its UIM or SA by other unauthorized electronic means, thus impersonating an authorized network subscriber.

[0019] A further example of a deviation from an established pattern of use for terminal 4 may include frequent repetitive attempts by a terminal for registration or connection to a network 1 from the same location. Such case may include a subscriber making repeated, unsuccessful attempts at registering for the network services provided on the network 1, with such registration or connection attempts being denied, often because a clone of terminal 4, is already connected to the network 1. In such case, a network operator including AAA 6 or any of the network operator entities that are provided with the histograms to monitor the activities of terminal 4 on network 1 may prompt the clarification protocol after a threshold number of attempts at registration or connection for a terminal 4 to network 1 have been denied within a threshold amount of time.

[0020] Another example of a deviation from an established pattern of use for terminal 4 may include a network operator including AAA 6 or any other operator entities that monitor the network activity of terminal 4 on network 1 receiving a registration or connection request from terminal 4 from an unlikely geographic location which has not been previously recorded in the GLM database. Although a registration or connection request from a new geographic location does not necessarily indicate fraudulent use of terminal 4, the network operating entities may prompt the clarification protocol to thereby protect the authorized subscriber, as well as the wireless network service provider, from fraud.

[0021] Yet another example of a deviation from an established pattern of use for terminal 4 may include a network operator entity including AAA 6 or any other operator entities that monitor the network activity of terminal 4 on network 1 receiving registration or connection requests from a subscriber for terminal 4 that are inconsistent and therefore suspicious. For example, if the registration or connection requests come from different geographic locations within an improbable time frame, for instance registration or connection requests are made in New York, N.Y. and Washington, D.C. within five minutes of each other, the network operator entities may understand that such requests within such a short amount of time are physically impossible, and therefore the network operator entities may then prompt the clarification protocol.

[0022] A further example prompt for the clarification protocol may include an outside party contacting the network operator to report difficulty in contacting the subscriber user of terminal 4.

[0023] The clarification protocol, shown in clarification request step 28, which is intended to determine whether terminal 4 is being used fraudulently may include a step of terminating access to network 1 by terminal 4 or denying re-registration of terminal 4 as it moves from cell 2 a to cell 2 b, as in FIG. 1 for example. In the alternative, the clarification request step 28 may include a step of allowing re-registration of the terminal 4 within a new cell in the network 1 and then transmitting a query to the terminal 4 requesting verification that the current user of terminal 4 is the actual subscriber. The query may be an automated or operator-initiated text or audio message, depending on the capabilities of the terminal 4, which is transmitted before allowing further activity on the network 1 by the terminal 4. Such query may include a request for predetermined subscriber information or predetermined security information including, but not limited to, social security information, mother's maiden name, date of birth, etc. If the current user of the terminal 4 is not able to respond to the query in a satisfactory manner, all activities by terminal 4 on the network 1 may be terminated, as in step 30. At such point, the network operator may implement further security measures including, but not limited to, contacting the authorized subscriber using predetermined security protocols including alternative forms of communication, contacting appropriate law enforcement authorities and prohibiting all future network activity by terminal 4 until the authorized subscriber has contacted the network service provider and satisfactorily proven that the terminal 4 is being used by an authorized user. Otherwise, no fraudulent use is found, and service on network 1 may continue for terminal 4, as in step 30′.

[0024] This concludes the description of the example embodiments. Although the present invention has been described with reference to illustrative embodiments thereof, it should be understood that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the scope and spirit of the principles of the invention. More particularly, reasonable variations and modifications are possible in the component parts and/or arrangements of the subject combination arrangement within the scope of the foregoing disclosure, the drawings and the appended claims without department from the spirit of the invention. In addition to variations and modifications in the component parts and/or arrangements, alternative uses will also be apparent to those skilled in the art. 

We claim:
 1. A method of detecting unauthorized terminal use in a network, comprising: recording a history of usage of a terminal; analyzing the usage of said terminal; monitoring current usage of said terminal; and requesting clarification upon detection of a deviation between said statistical analysis of the usage of said terminal and said current usage of said terminal.
 2. The method of claim 1, wherein the usage of said terminal includes at least one of location and registration patterns of said terminal.
 3. The method of claim 2, wherein said recording is performed by a geographic location manager (GLM).
 4. The method of claim 3, wherein said GLM records the satellite-based positioning information regarding said terminal in a database.
 5. The method of claim 4, wherein said analyzing the usage of said terminal includes said GLM computing a statistical analysis of the usage of said terminal.
 6. The method of claim 5, wherein the statistical analysis of the usage of said terminal produces a probability distribution of location of said terminal.
 7. The method of claim 5, wherein a deviation between said statistical analysis of the usage of the usage of said terminal and said current usage of said terminal includes one of re-registration of said terminal at a location that is not included in the statistical analysis of the usage of said terminal, re-registration of said terminal at a time that is not included in the statistical analysis of the usage of said terminal, and repeated denials of re-registration for said terminal.
 8. The method of claim 7, wherein said monitoring of current usage of said terminal is performed by a network operator entity.
 9. The method of claim 8, wherein said network operator entity is at least one of an authentication, authorization, accounting entity of said network and a control entity of a cell of said network.
 10. The method of claim 8, wherein said requesting of clarification is performed by said network operator entity.
 11. The method of claim 10, wherein said requesting of clarification includes: terminating registration of said terminal to said network; and denying said terminal further access to said network.
 12. The method of claim 10, wherein said requesting of clarification includes: sending a query to the user of said terminal; comparing the user's response to said query with user-security information stored in said network database; and terminating registration of said terminal to said network and denying said further access to said network if said user's response to said query does not satisfy the user-security information stored in said network database.
 13. A system for detecting fraudulent use of network subscribing terminals, comprising: a database that records a history of usage of a terminal in a network and analyzes the usage of said terminal; a control entity that monitors current usage of said terminal and requests clarification upon detection of a deviation between the statistical analysis of the usage of said terminal and the current usage of said terminal.
 14. The system of claim 13, wherein the usage of said terminal includes at least one of location and registration patterns of said terminal.
 15. The system of claim 14, wherein said database is included in a geographic location manager (GLM) that receives satellite-based positioning information regarding said terminal.
 16. The system of claim 15, wherein the statistical analysis of the usage of said terminal produces a probability distribution of location of said terminal.
 17. The system of claim 14, wherein a deviation between said statistical analysis of the usage of the usage of said terminal and said current usage of said terminal includes one of re-registration of said terminal at a location that is not included in the statistical analysis of the usage of said terminal, re-registration of said terminal at a time that is not included in the statistical analysis of the usage of said terminal, and repeated denials of re-registration for said terminal.
 18. The system of claim 17, wherein said control entity is either of an authentication, authorization, accounting entity of said network and a transport entity of said network.
 19. The system of claim 14, wherein, upon detection of the deviation between the statistical analysis of the usage of said terminal and the current usage of said terminal, said control entity requests of clarification by terminating registration of said terminal to said network and denying said terminal further access to said network.
 20. The system of claim 14, wherein, upon detection of the deviation between the statistical analysis of the usage of said terminal and the current usage of said terminal, said control entity sends a query to the user of said terminal, compares the user's response to said query with user-security information stored in said network database, and terminates registration of said terminal to said network and denying said further access to said network if said user's response to said query does not satisfy the user-security information stored in said network database.
 21. A computer-readable medium having computer-executable instructions for detecting unauthorized terminal use in a wireless network, said computer-executable instructions comprising: recording a history of usage of a terminal; analyzing the usage of said terminal; monitoring current usage of said terminal; and requesting clarification upon detection of a deviation between said statistical analysis of the usage of said terminal and said current usage of said terminal.
 22. The computer-executable instructions of claim 21, wherein the usage of said terminal includes at least one of location and registration patterns of said terminal.
 23. The computer-executable instructions of claim 22, wherein said recording is executed in a network database.
 24. The computer-executable instructions of claim 23, wherein said network database is included in a geographic location manager that receives satellite-based positioning information regarding said terminal.
 25. The computer-executable instructions of claim 24, wherein said analyzing the usage of said terminal includes said GLM computing a statistical analysis of the usage of said terminal.
 26. The computer-executable instructions of claim 25, wherein the statistical analysis of the usage of said terminal produces a probability distribution of location of said terminal.
 27. The computer-executable instructions of claim 25, wherein a deviation between said statistical analysis of the usage of the usage of said terminal and said current usage of said terminal includes one of re-registration of said terminal at a location that is not included in the statistical analysis of the usage of said terminal, re-registration of said terminal at a time that is not included in the statistical analysis of the usage of said terminal, and repeated denials of re-registration for said terminal.
 28. The computer-executable instructions of claim 27, wherein said monitoring of current usage of said terminal is performed by a network operator.
 29. The computer-executable instructions of claim 28, wherein said network operator is an authentication, authorization, accounting entity of said network or a control entity of said network.
 30. The computer-executable instructions of claim 29, wherein said requesting of clarification is performed by said network operator.
 31. The computer-executable instructions of claim 30, wherein said requesting of clarification includes: terminating registration of said terminal to said network; and denying said terminal further access to said network.
 32. The computer-executable instructions of claim 30, wherein said requesting of clarification includes: sending a query to the user of said terminal; comparing the user's response to said query with user-security information stored in said network database; and terminating registration of said terminal to said network and denying said further access to said network if said user's response to said query does not satisfy the user-security information stored in said network database. 